Search form

Search form

Microsoft retiring compromised browser certificates

By Digital News Asia May 11, 2016

Certificates using SHA1 algorithm being retired

Browsers will report errors in sites using SHA1

Microsoft is planning to retire support for browser certificates signed by the SHA1 hashing algorithm in the next few months. Security researchers are warning that the widely used algorithm should be retired as soon as possible.

SHA1 is a cryptographic hash function. Like all hash functions, it takes a collection of text and generates a long string of letters and numbers that serve as an encrypted fingerprint for that message.

Like all fingerprints, the resulting hash is useful only as long as it is unique. The moment two different messages produce the same hash, the 'collision' can open the door to signature forgeries and hacks of secure internet transactions such as banking and online purchases.

Last year, Microsoft had hinted at retiring the certificates using SHA1 earlier than scheduled. It has now made those plans official.

What does this mean for the average Windows user?

In a few months, if you use Microsoft's Edge and Internet Explorer browsers, you will notice that they will not display the 'lock' sign in the address bar if you visit HTTPS sites protected by SHA1 certificates.

"This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program," the Microsoft Edge Team wrote in a blog.

At the beginning of this year, browser certificate authorities ceased issuing SHA1-based certificates. In 2017, most browser makers will begin issuing errors when users visit HTTPS sites that rely on SHA1.

The retirement of the certificates had been planned for years after research in 2012 showed that SHA1 could be cracked. SHA1 is being replaced with SHA2, an algorithm that is more resistant to hacks.